Back to blog
We are pleased to announce that ReportPortal has successfully completed its annual SOC 2 Type II audit for the latest reporting period. The independent assessment confirmed that our security and operational controls were appropriately designed and operated effectively throughout the audit timeframe. For enterprise security, compliance, procurement, and vendor risk teams, this renewal provides validated assurance and helps streamline vendor evaluation processes.
This marks the third consecutive year that ReportPortal has renewed its SOC 2 attestation – demonstrating that our security program is not a one-time initiative, but a sustained and mature operational discipline embedded across our organization.
What SOC 2 Type II means
SOC 2 Type II is an independent third-party audit conducted in accordance with the AICPA Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
Unlike a point-in-time certification, SOC 2 Type II evaluates whether controls operate effectively over a defined period. Auditors examine detailed evidence – including policies, access controls, monitoring activities, change management procedures, and risk management practices – to verify consistent execution.
The audit requires the provision of extensive documentation and artifacts. Thanks to well-established security processes within ReportPortal and the broader governance framework of EPAM, we did not need to implement urgent remediation efforts to meet audit expectations. Instead, we demonstrated through evidence that our controls were already functioning as required.
Why this matters now
Over the past decades, business operations have increasingly shifted online. Organizations now rely heavily on cloud-based infrastructure – including IaaS, PaaS, and SaaS models – to reduce capital expenditures and accelerate innovation. While this model increases flexibility and efficiency, it also raises expectations around data protection and operational resilience.
In regulated industries such as financial services, non-compliance can lead to significant regulatory and reputational consequences. Standards like PCI DSS underscore the importance of maintaining strong safeguards for sensitive information.
As businesses increasingly entrust third-party providers with confidential data, the stakes continue to rise. Organizations must ensure that sensitive data is protected from unauthorized access, misuse, or unintended exposure – including scenarios where private data could be improperly used, for example, to train large language models (LLMs).
At the same time, vendor security questionnaires alone are often insufficient. Security teams cannot always independently verify vendor statements. SOC 2 addresses this challenge by providing independent validation based on auditor-reviewed evidence – not just written assurances.
Today, SOC 2 has effectively become a baseline requirement for enterprise third-party risk management programs. Security maturity must extend across the entire supply chain. It is not enough for an organization to be secure internally – its vendors must meet comparable standards. Independent audits help ensure there are no weak links, because once a security incident occurs, remediation is already reactive.
Our multi-year SOC 2 renewal demonstrates long-term commitment to maintaining these expectations.
What this means for ReportPortal customers
This renewal directly supports customer needs by enabling faster vendor onboarding, easier security reviews, and increased confidence in ReportPortal’s security program.
For enterprise procurement and security teams, a current SOC 2 Type II attestation reduces evaluation friction by providing independently validated assurance of control effectiveness. It simplifies due diligence processes and supports internal approval workflows.
By maintaining SOC 2 compliance year after year, we help our customers move forward with greater confidence in the strength and stability of our security controls.
Security as an ongoing commitment
Beyond supporting customer reviews and onboarding processes, SOC 2 renewal reflects a broader, long-term security commitment. SOC 2 renewal is part of a broader, continuous security strategy. Security at ReportPortal is integrated across organizational processes and supported at every level. We maintain structured risk assessments, ongoing monitoring, governance controls, and continuous improvement practices to ensure our safeguards remain effective as our platform evolves.
By renewing SOC 2 for the third consecutive year, ReportPortal reinforces its commitment to transparency, accountability, and enterprise-grade security standards.
SOC 2 vs. SOC 3: understanding the difference
To support different stages of vendor evaluation, ReportPortal provides both SOC 2 and SOC 3 reports:
SOC 2 Type II report A detailed report that describes our control environment, testing procedures, and auditor results. Because it contains sensitive information about internal controls, it is typically shared under NDA upon request.
SOC 3 report A high-level summary confirming successful completion of the SOC 2 audit. It does not include detailed control descriptions and can be shared publicly without NDA.
For many organizations, the SOC 3 report provides sufficient initial assurance to proceed with evaluation, while the SOC 2 Type II report offers deeper transparency for full security reviews. When customers need assurance for periods after the SOC report end date, we can also provide bridge letters – management attestations summarizing any material changes to our control environment since the last report, helping close gaps between audit cycles during vendor risk reviews.
To request the SOC 2 Type II report or SOC 3 report, please reach out via our official contact form.
Our team is ready to support your security and compliance evaluation process.